By Alan Markoff
As recently as 2007, cybersecurity was not included in the annual public threat assessment the United States intelligence community gives to Congress.
“The word ‘cyber’ wasn’t anywhere in that threat assessment,” said cybersecurity expert Amy Zegart during a keynote presentation titled “Emerging Technology, Geopolitics & the Future of Intelligence” on 6 May at the day-long virtual Royal Fidelity Cayman Economic Outlook conference, for which Dart was a sponsor. “It was not on the horizon of threats confronting the nation.”
Only five years later however, the sitting U.S. secretary of defense, Leon Panetta, warned of a “cyber Pearl Harbor” of threats to the country’s physical infrastructure, financial networks and transportation networks.
In the nine years since, the cyberthreats have increased significantly, resulting in costly cyberattacks against private companies ranging from the retailer Target and the multinational pharmaceutical company Merck & Co. to hacks against U.S. government entities and Hilary Clinton’s presidential campaign in 2016.
Ironically, the day after Zegart gave her presentation, the Colonial Pipeline in the United States fell victim to a ransomware cybersecurity attack that forced it to temporarily shut down its pipeline operations, leading to gasoline shortages throughout the U.S. Southeast. Less than a week later, President Joe Biden signed an executive order intended to strengthen the government’s cybersecurity defences.
Zegart, who is a professor at the Stanford Graduate School of Business and the co-director of the Stanford Cyber Policy Program, said cyberthreats will continue to increase, partially because of the money involved.
“Cybercrime pays,” she said. “We know it’s estimated now to be worth more than global illicit drug trade. It’s big business — approximately US$600 billion dollars a year.”
Protecting from cybercrime
Zegart recommends three things companies can do to protect themselves from cybercrime.
“The first is, ‘Don’t leave the door wide open,'” she said. “Most cyberbreaches are a result of very basic lapses, like weak passwords and the lack of multifactor authentication. Just fixing those problems can dramatically improve your protection.”
Secondly, Zegart said companies should assume that cyber attackers are going to get into their networks, so they should have a plan for how they will operate while infected.
“You need to have triage plans,” she said. “How are you going to communicate with your customers? How are you going to make sure that the most important information in your organisation is the most protected information?”
Zegart’s third recommendation for companies is to know how cybersecure their third-party contractors are. When Target was hacked in 2013 — a cyber attack that ended up costing the company almost US$300 million — the breach came through the company’s heating and air-conditioning contractor.
“Target did a lot of things right in cybersecurity … but they didn’t think about their vendors and their vendors’ cybersecurity weaknesses,” she said. “So always ask ‘How secure are my vendors?’ … because the weakest link will let the bad guys in.”
In addition to financially motivated cybercrimes, there are several other cyberthreats facing companies and nations, including online espionage.
Other cyberthreats are aimed at destroying, degrading or deceiving its targets, Zegart said.
“The range of cyber bad actors runs the gamut from Cheetos-eating teens to nation states,” she said. “Everyone in cyberspace is a target, whether you’re a Hollywood movie studio like Sony Pictures, a Saudi oil company, a Norwegian aluminum company, a city water plant or the Department of Defense in the United States.”
Zegart, who served as a member of the U.S. National Security Council staff in the past, said cyber deception was the most recent variety of threats in the cyber landscape.
“Russia, we know, is among the foremost of these threat actors, interfering in the U.S. presidential elections in 2016 and again in 2020,” she said. “And that’s just the beginning of the deception revolution in cyberspace.”
That deception revolution has implications for businesses as well as for politics, Zegart said, pointing to digitally manipulated “deep fakes” of photographs, video and audio as something everyone should be aware of.
She cited a “Wall Street Journal” article about how an executive of a U.K.-based energy company was tricked into sending nearly US$250,000 to a Hungarian supplier because he was told to do so by deep fake audio that mimicked the German accent and lilt of the voice of his boss.
Cyber deception also includes disinformation, which is something that both the leaders of countries and the leaders of businesses have to contend with, Zegart said.
“Democracies are used to believing that the answer to bad speech is more speech, but research is increasingly finding that when falsehoods are reported frequently and by many sources, people believe them,” she said. “That’s exactly the online ecosystem in which we find ourselves today. More speech isn’t leading to truth; more speech is leading to deception.”
This article originally appeared in the June 2021 print edition of Camana Bay Times with the headline “Cyberthreats on the rise.”
About the author
Alan Markoff has worked with Dart as the editor for Camana Bay Times for four years and has been writing professionally since 1997. Born and raised in Cleveland, Ohio, Alan graduated from the State University of New York at Albany with a degree in English, and first moved to the Cayman Islands in 1982. He has 17 years of experience in the real estate industry and previously worked as a journalist for the Cayman Compass before joining Dart to relaunch the Camana Bay Times monthly newspaper. Alan is passionate about food and wine and he loves to write about both those subjects. He is also the leader of Grand Cayman’s Slow Food Chapter.